Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I need to retrieve results for the last 30 days, but why is my search only returning results for the last 3 days?

gandusarath
Engager
‎12-11-2015 06:19 AM

I have this search:

 index=os sourcetype=ps host=rtl*pxiw01* (DataFlowEngine AND *Inbound) earliest=-30d | multikv fields RSZ_KB,VSZ_KB,COMMAND,ARGS | search (COMMAND="DataFlowEngine" AND ARGS=*Inbound) 
| timechart span=1d max(VSZ_KB) as VSZ by host .

I need to retrieve results for last 30 days, but my search head is retrieving results only for the last 3 days. Can someone please advise on how to get results for 30 days?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-14-2015 04:03 AM

You used earliest=-3d but do you know of _index_earliest ? and _index_latest ?

Also did you change the timepicker or just specify earliest in your search?

Finally, are the dates right on all your data? Say 27 days of your data was from 2001 due to an incorrect timestamp... Splunk would index these events as if they were 14 years ago, not last 30d. So in this case, you'd be interested in _index_earliest=-3d instead.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-11-2015 08:06 AM

Do you have more than 3 days of data in there? If you remove ALL references to time and just run your base search with the time selector set to "all time", what do you get?

This search, that is:

index=os sourcetype=ps host=rtl*pxiw01* (DataFlowEngine AND *Inbound)

Let us know what you find.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-13-2015 01:03 PM

In addition run this command to see when the index saw the first event form the hosts host=rtl*pxiw01*:

 | metadata type=host index=os | search host=rtl*pxiw01* | convert ctime(firstTime) AS TimeOfFirstEvent | sort - firstTime
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...